Vendor Due Diligence Checklist and Strategy Guide

Introduction

For fintech companies, crypto firms, and banks, the wrong vendor relationship isn't just an operational nuisance — it's a compliance liability. When Synapse Financial Technologies filed for bankruptcy in April 2024, tens of thousands of customer accounts were frozen and a trustee identified an $85 million shortfall between partner bank funds and amounts owed to depositors.

That same year, the Federal Reserve issued an enforcement action against Evolve Bank & Trust for AML and risk management deficiencies tied to insufficient fintech-partnership oversight.

These aren't edge cases. Regulators — including the OCC, FCA, FinCEN, and FINTRAC — hold regulated entities accountable for what their vendors do.

This guide gives you the tools to get that accountability right from the start:

  • A practical vendor due diligence (VDD) checklist organized across six risk categories
  • A tiering strategy to allocate due diligence effort where it matters most
  • Best practices tailored to the specific obligations of fintechs, money transmitters, crypto firms, and banks

The scope covers BSA/AML screening, sanctions exposure, licensing verification, and cross-border data protection requirements — areas where most enterprise risk frameworks fall short.

TL;DR

  • Regulated entities are accountable for their vendors' compliance failures — VDD is a regulatory mandate, not optional
  • A complete vendor assessment covers six risk categories: legal identity, financial health, AML/sanctions, licensing, cybersecurity, and operational resilience
  • Tier vendors by risk level — critical partners like KYC platforms, BaaS providers, and API processors need the deepest scrutiny
  • VDD isn't one-time — trigger events (M&A, breaches, regulatory changes) require immediate reassessment
  • Lean teams can engage fractional CCO or BSA Officer support to build a VDD program that fits their stage and risk profile

What Is Vendor Due Diligence — and Why Regulated Businesses Face Higher Stakes

Vendor due diligence (VDD) is the structured process of evaluating a third party's financial, legal, operational, cybersecurity, and regulatory risk profile before entering — or continuing — a business relationship. It applies at onboarding, at contract renewal, and at every material change in the vendor relationship.

A weak vendor is an inconvenience for most businesses. For a regulated financial firm, it's a direct path to regulatory exposure.

Why Regulated Entities Bear More Risk

Financial services firms are held accountable for their vendors' compliance failures. If a vendor violates AML obligations, mishandles customer data, or operates in a jurisdiction without the required licenses, the regulated firm using that vendor can face:

  • Regulatory enforcement action or formal findings
  • Material fines and remediation costs
  • Loss of banking access or sponsor bank relationships

The 2023 interagency third-party risk guidance from the OCC, FDIC, and Federal Reserve requires risk-based due diligence across the full vendor relationship lifecycle — not just at onboarding. The UK's PRA supervisory statement SS2/21 and the EBA's outsourcing guidelines set equivalent expectations for European firms.

The Fourth-Party Problem

Vendor networks have grown far more complex. A fintech may rely on a BaaS bank, which relies on a core processor, which relies on a cloud infrastructure provider. Your vendor's vendor — fourth-party risk — can trigger the same regulatory exposure as a direct vendor failure.

The Synapse collapse illustrated this precisely: middleware sitting between consumer-facing fintechs and their underlying banking partners created accountability gaps that regulators are still addressing.

The Vendor Due Diligence Checklist: 6 Key Risk Categories

Category 1 — Business Identity and Legal Standing

Confirm the vendor actually is who they claim to be and holds the authorizations they claim to hold.

  • Verify corporate registration documents, articles of incorporation, and proof of operation in relevant jurisdictions
  • For US vendors: check FinCEN MSB registration and NMLS Consumer Access for money transmitter licenses
  • For UK vendors: verify FCA authorization via the FCA register for payment and e-money institutions
  • For EU vendors: use the EBA EUCLID register for payment institutions
  • For Canadian vendors: check the FINTRAC MSB Registry (statuses include Registered, Expired, Ceased, and Revoked ; registration alone is not endorsement)
  • Review beneficial ownership structure to identify undisclosed controlling parties

Multi-jurisdiction vendor license verification checklist across US UK EU Canada

Key point: For fintech and crypto vendors, confirm they are authorized to provide the specific services they offer — not just that they're incorporated.

Category 2 — Financial Health and Stability

A vendor facing financial distress can abruptly discontinue services, creating operational disruption and regulatory exposure. Synapse is the clearest recent example.

Collect and review:

  • Recent financial statements and balance sheets
  • Evidence of adequate capitalization relative to the services provided
  • Credit assessment data or ratings where available
  • Any publicly disclosed restructuring, receivership, or significant debt obligations

For critical vendors, have someone with accounting expertise review the financials — not just legal or compliance staff.

Category 3 — AML, Sanctions, and Reputational Risk Screening

This category is unique to regulated financial businesses. Generic VDD processes often skip it entirely.

Sanctions screening: Check the vendor and its key principals against:

  • OFAC Specially Designated Nationals (SDN) list
  • UK Sanctions List (the OFSI Consolidated List closed January 28, 2026; the UK Sanctions List is now the sole source)
  • UN Security Council Consolidated List
  • EU consolidated financial sanctions list

Reputational screening: Search for adverse media, prior regulatory enforcement actions, CFPB/FCA/FINTRAC findings, and criminal proceedings involving the vendor or its principals.

AML program review: If the vendor handles financial transactions, assess whether they maintain:

  • A written AML/BSA policy
  • A designated compliance officer
  • A SAR/STR filing process and transaction monitoring capability

Category 4 — Regulatory Compliance and Licensing

Map the vendor's compliance posture against the regulatory frameworks that govern your relationship:

Framework Relevance
GDPR / UK GDPR Data processing vendors — 72-hour breach notification required
Regulation E Payment processors handling consumer fund transfers
MiCA Crypto-asset service providers operating in the EU
BSA/FinCEN requirements US-facing vendors involved in financial transactions
FCA authorization UK payment and e-money institutions

Request evidence of applicable certifications: SOC 2 (covers Security, Availability, Processing Integrity, Confidentiality, and Privacy), ISO/IEC 27001, and PCI DSS where payment data is involved.

Category 5 — Cybersecurity and Data Protection

According to IBM's 2025 Cost of a Data Breach Report, the global average breach cost reached $4.44 million, with the financial sector consistently ranking among the hardest-hit industries. Verizon's 2025 DBIR identified third-party involvement as a major cross-sector breach theme.

Assess vendors on:

  • Documented incident response procedures and client notification timelines
  • Data handling practices: encryption standards, access controls, data residency policies
  • Independent security ratings or third-party audit results (SOC 2, ISO 27001)
  • FTC Safeguards Rule compliance for US financial institutions (breach notification required for unauthorized acquisition of unencrypted data covering 500+ consumers)

Category 6 — Operational Resilience and Business Continuity

Review the vendor's ability to maintain services when things go wrong:

  • Business continuity plan (BCP) and disaster recovery procedures
  • Subcontractor and fourth-party dependencies — does the vendor rely on a third party that could fail?
  • SLAs, uptime guarantees, and defined escalation procedures
  • Cybersecurity and professional liability insurance coverage

The OCC's third-party risk guidance specifically identifies subcontracting, audit/access rights, business continuity, and termination provisions as contract elements that should reflect the risk profile of the relationship.

How to Tier Vendors by Risk Level

Applying maximum scrutiny to every vendor wastes compliance resources. A three-tier model directs effort where the risk actually sits.

The Three Tiers

Tier Description Examples
General No access to sensitive data or regulated systems Office suppliers, travel vendors
Sensitive/Confidential Access to customer data or payment systems Marketing platforms with customer data, HR software
Critical/Strategic Mission-critical services the firm cannot operate without KYC/AML platforms, BaaS partners, API processors, crypto custody

Three-tier vendor risk classification model with due diligence requirements by tier

How to Assign Tiers

Factors that push a vendor toward Critical tier:

  • Access to sensitive customer data or payment infrastructure
  • Involvement in regulated activities (identity verification, payments, lending)
  • Location in a high-risk jurisdiction
  • Potential to create direct regulatory liability for your firm
  • Contractual irreplaceability

For fintech and crypto firms, KYC/AML platform vendors, BaaS partners, and core API processors qualify as Critical. The vendor's own marketing doesn't change that classification.

Tiering Drives Monitoring Frequency

  • Annual formal review for Critical vendors, with immediate reassessment on trigger events
  • Contract renewal review for Sensitive vendors, or sooner on material changes
  • Lightweight onboarding review for General vendors, with periodic spot checks

When to Conduct Vendor Due Diligence

Before Onboarding — No Exceptions

Due diligence must be completed before signing contracts or granting system access. Skipping pre-contract VDD is one of the most common regulatory findings in third-party risk examinations. If the vendor later causes harm, regulators will ask when and how you assessed them.

Trigger Events That Require Immediate Reassessment

Don't wait for the annual review cycle if any of these occur:

  • Contract renewal or material scope expansion
  • The vendor is acquired by or merges with another entity
  • A significant regulatory change affects the vendor's sector
  • A reported data breach or adverse media event involving the vendor
  • A change in key vendor leadership (CEO, CCO, or BSA Officer departures)

Continuous Monitoring Between Formal Reviews

For vendors in high-risk sectors — crypto, cross-border payments, digital assets — annual reviews alone won't catch the regulatory changes that matter. The environment moves too fast. Continuous monitoring keeps your assessment current between formal cycles and covers:

  • Sanctions list updates (OFAC, UK Sanctions List, EU consolidated list)
  • Adverse media and reputational alerts
  • Cybersecurity threat intelligence relevant to the vendor's infrastructure

Vendor Due Diligence Best Practices for Fintech and Crypto Companies

Build a Written, Risk-Based Framework

Regulators don't just want a process — they want to see it documented. A written vendor due diligence policy should define:

  • Risk tier definitions and assignment criteria
  • Required documentation by tier
  • Review frequency and trigger events
  • Escalation and approval procedures

Align the framework with applicable guidance for your jurisdiction:

  • US firms: OCC 2023 interagency third-party risk management guidance
  • UK-regulated firms: FCA outsourcing and operational resilience expectations
  • EU entities: EBA outsourcing guidelines
  • Canadian MSBs: FINTRAC compliance program requirements

Customize Questionnaires by Vendor Type

A generic questionnaire misses the questions that actually matter. Tailor your due diligence to the vendor's role:

  • KYC/AML platform vendors: Ask about their own AML controls, regulatory approvals, and SAR filing processes
  • Cloud infrastructure vendors: Focus on data residency, encryption standards, and incident response timelines
  • Crypto custody partners: Assess travel rule compliance, VASP licensing status, and insurance coverage

Extend Due Diligence to Fourth-Party Risk

Require vendors to disclose their material subcontractors. In BaaS arrangements particularly, there are often multiple technology layers between the consumer-facing product and the underlying regulated entity — each one a potential failure point.

Federal agencies have directly warned banks about layered third-party deposit and payment arrangements — and regulators have cited firms for failing to map these downstream dependencies during examinations.

Protect the Firm Through Contract Terms

VDD findings should drive contract requirements. For regulated vendor relationships, contracts should include:

  • Right-to-audit clauses
  • Breach notification timelines aligned with applicable regulations (GDPR/UK GDPR: 72 hours)
  • Data return and destruction provisions on termination
  • AML compliance representations
  • Business continuity obligations for critical vendors
  • Consequences for regulatory non-compliance

Six essential contract clauses for regulated vendor relationships in financial services

Assign Clear Internal Ownership

Someone specific must own vendor due diligence. Define who initiates VDD, who reviews findings, who makes approval decisions, and who manages ongoing monitoring.

In lean fintech teams, this accountability falls to the CCO or BSA Officer. Make sure that person has direct escalation authority and enough bandwidth to act on findings — not just document them.

Building a VDD Program Without a Full-Time Compliance Team

Many seed-stage and Series A/B fintechs need a structured vendor due diligence program long before they can justify a full-time Chief Compliance Officer or BSA Officer. Without dedicated compliance leadership, vendor assessments tend to be incomplete, inconsistent, or handled by staff without the regulatory depth the work requires.

The Fractional Compliance Model

A fractional CCO, BSA Officer, CAMLO, or MLRO can design and implement a right-sized VDD program at a fraction of the cost of a full-time hire. The scope typically covers:

  • Building the policy framework and risk tier assignments
  • Conducting initial vendor assessments and ongoing monitoring protocols
  • Developing vendor management policies for BaaS compliance programs
  • Serving as a named compliance officer with vendor oversight embedded in the role

Fraxtional places director-level fractional leaders in exactly these roles across fintech, crypto, and banking companies in the US, UK, Canada, and EU.

For sponsor bank relationships specifically, a well-documented VDD program is part of what sponsor banks scrutinize before approving partnerships. Fraxtional's sponsor bank relationship services include reviewing and refining the compliance stack — including vendor management frameworks — before a fintech meets with potential bank partners.

Why Proactive Program Building Matters

Regulators evaluate a firm's vendor due diligence program as part of their own oversight reviews. The FDIC's 2023 consent order against Cross River Bank required FDIC non-objection before entering new third-party agreements — a signal of just how closely third-party programs are scrutinized.

Fractional compliance officer reviewing vendor due diligence framework documentation with fintech team

A documented, risk-based VDD process signals compliance maturity — which carries real weight when a bank partner, institutional investor, or examiner starts asking questions.

Frequently Asked Questions

What is vendor due diligence?

Vendor due diligence (VDD) is the structured process of assessing a third-party vendor's financial, operational, and regulatory risk profile — covering legal, cybersecurity, and compliance exposure — before or during a business relationship. The goal is to identify and manage the risks that external partners introduce.

What is the difference between vendor due diligence and commercial due diligence?

Vendor due diligence is conducted by a buyer or client to assess risks posed by a supplier or service provider. Commercial due diligence is typically performed in M&A contexts to evaluate a target company's market position, revenue model, and competitive standing.

How often should vendor due diligence be conducted?

VDD is not a one-time exercise. Critical and strategic vendors should be formally reviewed at least annually. Trigger events — regulatory changes, data breaches, vendor M&A activity, and contract renewals — should prompt immediate reassessment regardless of the scheduled review cycle.

What documents are typically required for vendor due diligence?

Core documents include corporate registration and licensing records, financial statements, cybersecurity certifications (SOC 2, ISO 27001), AML and compliance policies, and business continuity plans. The exact requirements vary by the vendor's assigned risk tier.

What are the key red flags during vendor due diligence?

Watch for: sanctions or PEP matches on key personnel, unresolved regulatory enforcement actions, inability to provide evidence of required licenses, unexplained gaps in financial statements, prior data breaches without documented remediation, and refusal to complete the due diligence questionnaire.

Do fintech and crypto companies have special vendor due diligence obligations?

Yes. Regulators including FinCEN, the OCC, FCA, and FINTRAC hold regulated entities accountable for their vendors' compliance failures. VDD for these firms must cover AML program assessment, sanctions screening, licensing verification, and jurisdiction-specific data protection requirements — well beyond a standard commercial review.